Changes between Initial Version and Version 1 of proposals/CSRFTokens


Ignore:
Timestamp:
02/24/13 11:37:42 (12 years ago)
Author:
josegar74
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • proposals/CSRFTokens

    v1 v1  
     1= Proposal title =
     2
     3|| '''Date''' || 2013/02/24 ||
     4|| '''Contact(s)''' || Jose García, Heikki Doeleman ||
     5|| '''Last edited''' || ||
     6|| '''Status''' || in progress ||
     7|| '''Assigned to release''' || To be determined ||
     8|| '''Resources''' || https://github.com/josegar74/core-geonetwork/tree/csrf ||
     9|| '''Ticket #''' ||  ||
     10
     11== Overview ==
     12
     13Improve the security in !GeoNetwork, adding support to CSRF tokens to prevent Cross-Site Request Forgery. Also fixes have been done in user request parameters accepted in main page to prevent XSS attacks.
     14
     15=== Proposal Type ===
     16 * '''Type''': Core Change
     17 * '''App''': !GeoNetwork
     18 * '''Module''': Jeeves, Services
     19
     20=== Links ===
     21 * '''Documents''':
     22 * '''Email discussions''':
     23 * '''Other wiki discussions''':
     24
     25=== Voting History ===
     26 * Vote proposed by X on Y, result was +/-n (m non-voting members).
     27
     28----
     29
     30== Motivations ==
     31
     32Improve the security in !GeoNetwork to prevent CSRF (Cross-site request forgery) attacks. This type of attacks force an end user to execute unwanted actions on a web application in which he/she is currently authenticated. See additional information in https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
     33
     34Additionally, improvements in main page have been done to prevent XSS attacks in user requests parameters.
     35
     36== Proposal ==
     37
     38An effective way to prevent CSRF attacks it is to generate a random string (CSRF token) that is included in application forms. When the form is submitted, the CSRF token is send along the other form data, the server validates it before. approving the request for processing.
     39
     40This way, prevents a malicious website from post a request even if have access to a valid session in a browser.
     41
     42To implement this mechanism in !GeoNetwork:
     43
     44'''1)''' A new base service class for services that require CSRF (Cross Site Request Forgery) tokens: {{{BaseSecureService}}}
     45
     46This class validates the CSRF token:
     47
     48 * If it's not valid and exception {{{ServiceNotAllowedEx}}} is thrown.
     49 * If it's valid, the service processing continues.
     50
     51Services that require CSRF tokens must extend this class and implement the logic in {{{doExec}}} method instead of {{{exec}}} method.
     52
     53Code: https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/services/BaseSecureService.java
     54Example service requiring CSRF token: https://github.com/josegar74/core-geonetwork/blob/csrf/web/src/main/java/org/fao/geonet/services/user/Update.java
     55
     56'''2)''' A new service to create/retrieve a CSRF token: {{{secure.token}}}. This service is used to provide the secure token in services that create forms (see next point) and can be used from scripts that use actual !GeoNetwork services that have been changed to require CSRF tokens. For example, a script that call {{{metadata.category}}} to update the categories of metadata, will require to call first {{{secure.token}}} to get the token and use it in {{{metadata.category}}} calls.
     57
     58CSRF tokens are created using SecureRandom java class
     59
     60Code: https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/services/GetSecureToken.java, https://github.com/josegar74/core-geonetwork/blob/csrf/jeeves/src/main/java/jeeves/utils/CSRFUtil.java
     61
     62'''3)''' Services that create forms to submit data to services that require CSRF tokens validation require to add this token in the form to submit. This requires 2 changes:
     63
     64- Update service definition to provide the CSRF token:
     65
     66{{{
     67<service name="user.edit">
     68        <class name=".services.user.Get" />
     69
     70        <output sheet="user-update.xsl">
     71                <call name="groups" class=".guiservices.groups.GetMine" />
     72                <call name="groupsAndProfiles" class=".guiservices.groups.GetMineWithProfiles" />
     73                <call name="profiles" class="jeeves.guiservices.profiles.Get" />
     74               
     75                <call name="_tk" class="jeeves.services.GetSecureToken" />
     76        </output>
     77</service>
     78}}}
     79
     80- Add the token value as a hidden field in the form:
     81
     82{{{
     83<form name="userupdateform" accept-charset="UTF-8" action="{/root/gui/locService}/user.update?operation=editinfo" method="post">
     84        <input type="hidden" name="_tk" value="{/root/gui/_tk}"/>
     85}}}
     86
     87
     88Also as part of this work security improvements in main page user request parameters have been done to prevent XSS attacks: https://github.com/josegar74/core-geonetwork/commit/50f722f12c36e403ffa80724004e937db0ef2821
     89
     90Useful resources:
     91
     92 * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
     93 * http://ricardozuasti.com/2012/preventing-csrf-in-java-web-apps
     94
     95
     96
     97=== Backwards Compatibility Issues ===
     98
     99User scripts using !GeoNetwork services to update data will require to be updated to use {{{secure.token}}} to retrieve the CSRF token and use it in the services. See Proposal description (point 2) for more details.
     100
     101These changes don't affect interfaces like CSW.
     102
     103=== New libraries added ===
     104
     105== Risks ==
     106
     107== Participants ==
     108 * Jose García
     109 * Heikki Doeleman